How to harden your smartphone against stalkers—Android edition

With great power comes great responsibility, so lock up that smartphone.

Root: the herpes of smartphone conditions

We know that the practice of rooting Android phones has a history almost as long and storied as Android itself with many proud participants. It is not always, or even often, used with bad intentions. However, it is fair to say that a rooted phone belonging to someone who doesn't know how to properly wield that power is not a very safe phone to use, particularly if the root was done by someone else. In this section, we will provide some information about unrooting and how to accomplish it.

The bad news about rooting is that it can be hard to undo; at least, there is no one app or process for unrooting every Android phone. Some phones may be very difficult to unroot depending on how new they are. Most general unrooting processes require that the phone have an OS update available or a backup of the stock ROM. Worse, sometimes unrooting processes remove the visual indicators that a phone has been rooted, but leave the superuser capabilities intact.

Factory reset won't unroot the phone, though it will remove any applications that are taking advantage of the root. Rooting is not a supported activity by manufacturers, carriers, or Google. So if the phone is rooted, you are on your own. If you're desperate and appeal to one of these higher powers, tell them the phone was rooted without your knowledge. They may help, but unless they want to dabble in the black arts of rooting/unrooting, they would essentially have to gift you a new phone. Therefore, there are no guarantees. If you've been ninja-rooted, take this moment to hate with a passion the person who did this to you.

Unfortunately, we can't run down all of the ways to unroot every make and model and OS version of Android phone. There are too many. Fortunately, the Internet is deep and wide and full of technically savvy people, many of whom can provide you with tools and instructions to unroot your phone. Yes, you don't know them, but advice offered freely to others on forums and blogs is preferable to a phone in the vise grip of a stalker. Be warned that unrooting is not a straightforward process. We can't guarantee that any tools that purport to unroot your device won't also do something malicious, so move forward with these steps at your own risk.

One-click root tools are fairly common, easy to use, and free. If you can find one that applies to your phone model and works on your operating system, they also usually work in reverse. The Google-fu search we'd use is "unroot tool [your phone model here]" or "one click unroot [your phone model here]." Install it, plug in your phone, run the app, click the "unroot" button, and that should do the trick.

If there are no tools, there may be instructions that involve downloading some files and using a command prompt (on Windows) or Terminal (on Mac OS X). If you're uncomfortable with that level of computer-phone interaction, get a more savvy friend to help you (Don't, obviously, intentionally ask your stalker. Hopefully if you ask another friend they won't, in a horror-movie-like twist, turn out to be your stalker).

Unrooting the phone should also prevent any apps on the phone like WebKey from working properly. However, that doesn't mean you shouldn't take steps to eradicate stalking possibilities at the app level, too.

Checking for unfamiliar apps

Unrooting won't take care of all the location-tracking activity on your phone, so now is a good time to do a sweep of your running applications as well as your app collection, drawer, tab, window, or whatever your particular UI terms that part of your phone.

Open your apps browser and go through, line by line, scrutinizing each one. Ask yourself if you remember installing it, or even ever using it. If it's unfamiliar, delete it. If an app is familiar but only because whoever set up your phone told you that you had to keep it running all the time so he/she could make sure everything was going OK on your phone, also delete it. If you want to see a list of applications that have been installed on the phone, there's usually one in Android's settings menu (Settings > Applications > Manage applications, for instance, on Android 2.1, or Settings > Apps on Android 4.0). Android phone settings menu setups are not all the same, but lists of installed, downloaded, and currently running apps are always available somewhere.

This is what the list of running apps looks like with Android 4.0

If you skipped the step on changing your password, the consequences will come to bear here. Someone with your password can log into your Google account and install apps directly to your phone using the browser version of Google Play as long is the phone is on. This requires no extra permissions from you. Usually the phone will show an icon in the top right corner that something is downloading, will pop an alert that the app was downloaded, and sometimes even install a shortcut right on the home screen. But this can vary from phone to phone. This also applies to apps that require a rooted phone, so that's why we're going through these steps in this order.

If there is an app you recognize but are worried it might be used against you, you can see what permissions are afforded the app from the "manage applications" menu we mentioned above. Selecting an app from that list will give you a list of permissions the app has—for instance, whether it can see your location, your text messages, and so forth. These often read as more intrusive than what the apps actually end up doing, but it's worth a look if you aren't sure.

A list of app permissions looks something like this. Every app has one.

One of the worst things about Android, from a security perspective, is that anyone can make an app and get it on your phone and sideload it (that is, install by means other than the Google Play store, Amazon Appstore, or other sanctioned method) if they have had access to it at some point. That app would have to obey certain rules if the phone is not rooted, like displaying an indicator that the GPS is in use. If it is rooted, most bets are off. Not everyone can develop an app, and even fewer people can whip up their own competent stalking app, but it's not impossible.

An app with remote control or tracking functionality could have an icon and name that look like anything. As long as it seems to be something innocuous, like a stock music player or a notetaking app, you may never have cause to open it and could pass over it unnoticed. Of course, if you tap what looks like a knockoff version of Bejeweled and the screen starts cascading the Matrix, you'll know something's up (not that that's what tracking apps look like on the inside always, or ever). Hence, if an app looks like a harmless one that came installed on the phone, open it and see what it does just to be thorough. Likewise, it's also possible to disable "built-in" apps you might need, like "Android keyboard." Leave those alone if you still want to be able to type.

Android 4.0 shows a separate list of apps that have been downloaded to the phone that may be worth cross-referencing with installed apps, to determine what is a stock app and what isn't.

Once again, we're just thinking broadly, this is a theoretical possibility. There are no recorded cases of it to our knowledge; it's just a potential issue that's worth being aware of. It doesn't take long to pop open an unfamiliar app, poke around, and then close it again. So if your stalker may be very knowledgeable, take the time for this.